Processor system, engine control system and control method
Abstract
A processor system includes a master processor that successively processes a plurality of tasks, a checker processor that successively processes at least one of the plurality of tasks, and a control circuit that performs control so that the checker processor operates when the master processor and the checker processor perform a lock-step operation, and the checker processor stops its operation when the master processor and the checker processor do not perform the lock-step operation, the lock-step operation being an operation in which each of the master and checker processors processes the same task, in which the control circuit performs control so that a period from when a task is processed by the lock-step operation to when another task is processed in the next lock-step operation is equal to or shorter than a maximum test period, the maximum test period being a test period acceptable to the processor system.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A processor system comprising:
a master processor that successively processes a plurality of tasks;
a checker processor that successively processes at least one of the plurality of tasks; and
a control circuit that performs control so that the checker processor operates when the master processor and the checker processor perform a lock-step operation, and the checker processor stops its operation when the master processor and the checker processor do not perform the lock-step operation, the lock-step operation being an operation in which each of the master processor and the checker processor processes the same task,
wherein the control circuit performs control so that a period from when a task is processed by the lock-step operation to when another task is processed in the next lock-step operation is equal to or shorter than a maximum test period that is predetermined, the maximum test period being a test period acceptable to the processor system,
wherein the maximum test period is defined by subtracting a sum of a fault reaction time and a time necessary for a test process, from a fault tolerant time interval,
wherein the fault reaction time is a period from when a fault is detected to when the processor system changes to a stopped state, and
wherein the fault tolerant time interval is a period from when the fault occurs in the processor system to when the processor system changes to the stopped state.
2. The processor system according to claim 1 , wherein
at least one fault diagnosis task is processed by interrupt handling at an interval equal to or shorter than the maximum test period, and
the control circuit performs control so that the lock-step operation is performed when the fault diagnosis task is processed by interrupt handling.
3. The processor system according to claim 2 , wherein the control circuit performs control so that the lock-step operation is not performed when the fault diagnosis task is not processed by interrupt handling.
4. The processor system according to claim 2 , wherein
a plurality of fault diagnosis tasks are processed by interrupt handling, and
a first fault diagnosis task among the plurality of fault diagnosis tasks is a task for performing a fault diagnosis for a first area of the master processor, and a second fault diagnosis task among the plurality of fault diagnosis tasks is a task for performing a fault diagnosis for a second area of the master processor.
5. The processor system according to claim 1 , wherein
a first task and a second task different from the first task are processed by interrupt handling, the first task being a task for which if a fault occurs during its execution, that fault needs to be detected, and
the control circuit makes control so that the lock-step operation is performed when the first task is processed by interrupt handling.
6. The processor system according to claim 5 , wherein the control circuit makes control so that the lock-step operation is performed when a fetch address in the master processor matches an address of the first task in a memory, the memory storing the plurality of tasks.
7. The processor system according to claim 1 , wherein
a first task and a second task different from the first task are processed by interrupt handling and processed by the lock-step operation, the first task being a task for which if a fault occurs during its execution, that fault needs to be detected, and
the control circuit makes control so that the lock-step operation for the second task is not performed according to a frequency with which the processor system processes at least the first task.
8. The processor system according to claim 5 , wherein when a period that has elapsed after the first task is processed by the lock-step operation becomes equal to or longer than a first period shorter than the maximum test period, and when a second processing of the first task by interrupt handling is requested, the control circuit performs control so that the first task is processed again by the lock-step operation.
9. A control method comprising:
performing control so that a checker processor is operated when a lock-step operation is performed, the lock-step operation being an operation in which a master processor and the checker processor each process the same task, the master processor being configured to successively process a plurality of tasks, the checker processor being configured to successively process at least one of the plurality of tasks;
performing control so that the checker processor is stopped when the lock-step operation is not performed; and
performing control so that a period from when a task is processed in the lock-step operation to when another task is processed in the next lock-step operation is equal to or shorter than a maximum test period that is predetermined, the maximum test period being a test period acceptable to a system,
wherein the maximum test period is defined by subtracting a sum of a fault reaction time and a time necessary for a test process, from a fault tolerant time interval,
wherein the fault reaction time is a period from when a fault is detected to when a system including the checker and master processors changes to a stopped state, and
wherein the fault tolerant time interval is a period from when the fault occurs to when the system changes to the stopped state.
10. The control method according to claim 9 , wherein
at least one fault diagnosis task is processed by interrupt handling at an interval equal to or shorter than the maximum test period, and
control is performed so that the lock-step operation is performed when the fault diagnosis task is processed by interrupt handling.
11. The control method according to claim 10 , wherein control is performed so that the lock-step operation is not performed when the fault diagnosis task is not processed by interrupt handling.
12. The control method according to claim 10 , wherein
a plurality of fault diagnosis tasks are processed by interrupt handling,
when a first fault diagnosis task among the plurality of fault diagnosis tasks is processed by interrupt handling, a fault diagnosis for a first area of the master processor is performed, and
when a second fault diagnosis task among the plurality of fault diagnosis tasks is processed by interrupt handling, a fault diagnosis for a second area of the master processor is performed.
13. The control method according to claim 9 , wherein
a first task and a second task different from the first task are processed by interrupt handling, the first task being a task for which if a fault occurs during its execution, that fault needs to be detected, and
control is performed so that the lock-step operation is performed when the first task is processed by interrupt handling.
14. The control method according to claim 13 , wherein control is performed so that the lock-step operation is performed when a fetch address in the master processor matches an address of the first task in a memory, the memory storing the plurality of tasks.
15. The control method according to claim 9 , wherein
a first task and a second task different from the first task are processed by interrupt handling, the first task being a task for which if a fault occurs during its execution, that fault needs to be detected,
control is performed so that the first and second tasks are processed by the lock-step operation, and
control is performed so that the lock-step operation for the second task is not performed according to a frequency with which at least the first task is processed.
16. The control method according to claim 13 , wherein when a period that has elapsed after the first task is processed by the lock-step operation becomes equal to or longer than a first period shorter than the maximum test period, and when a second processing of the first task by interrupt handling is requested, control is performed so that the first task is processed again by the lock-step operation.
17. A non-transitory computer readable medium storing a program for causing a computer to execute:
a step of performing control so that a checker processor is operated when a lock-step operation is performed, the lock-step operation being an operation in which a master processor and the checker processor each process the same task, the master processor being configured to successively process a plurality of tasks, the checker processor being configured to successively process at least one of the plurality of tasks;
a step of performing control so that the checker processor is stopped when the lock-step operation is not performed; and
a step of performing control so that a period from when a task is processed in the lock-step operation to when another task is processed in the next lock-step operation is equal to or shorter than a maximum test period that is predetermined, the maximum test period being a test period acceptable to a system,
wherein the maximum test period is defined by subtracting a sum of a fault reaction time and a time necessary for a test process, from a fault tolerant time interval,
wherein the fault reaction time is a period from when a fault is detected to when a system including the checker and master processors changes to a stopped state, and
wherein the fault tolerant time interval is a period from when the fault occurs to when the system changes to the stopped state.
18. An engine control system comprising:
first and second processors each of which is capable of processing a plurality of tasks including an engine control task by a lock-step method; and
a control unit that enables or disables the lock-step method,
wherein the control unit enables the lock-step method at a predetermined timing so that an interval between a first lock-step process and a second lock-step process subsequent to the first lock-step process is equal to or shorter than a maximum test period, the maximum test period being a test period acceptable to a system,
wherein the maximum test period is defined by subtracting a sum of a fault reaction time and a time necessary for a test process, from a fault tolerant time interval,
wherein the fault reaction time is a period from when a fault is detected to when the engine control system changes to a stopped state, and
wherein the fault tolerant time interval is a period from when the fault occurs to when the engine control system changes to the stopped state.
19. The engine control system according to claim 18 , wherein the control unit makes the processors process the engine control task that occurs at the predetermined timing by the lock-step method.
20. The engine control system according to claim 19 , wherein when the engine control task does not occur at the predetermined timing, a fault diagnosis task is started and the control unit makes the processors process the fault diagnosis task by the lock-step method.
21. The engine control system according to claim 18 , wherein a fault diagnosis task is started at the predetermined timing and the control unit makes the processors process the fault diagnosis task by the lock-step method.
22. The engine control system according to claim 18 , further comprising a sensor input interface, wherein
the engine control task is started according to an input signal supplied from the sensor input interface.
23. The engine control system according to claim 22 , wherein the control unit disables the lock-step method for a task other than the engine control task.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.